Published: 31/01/2024 Updated: 09/02/2024

CVSS v3 Base Score: 9.1 | Impact Score: 5.2 | Exploitability Score: 3.9

VMScore: 0

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mobyproject buildkit

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of ...

DescriptionA vulnerability was found in the Moby Builder Toolkit, which arose from BuildKit's attempts to clean up temporarily added directories after use A malicious BuildKit frontend or Dockerfile using RUN --mount could deceive the feature responsible for removing empty files created for the mount points, potentially leading to removing ...

PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653) ...

Leaky Vessels Dynamic Detector

Leaky Vessels Dynamic Detector In this repository you'll find a reference implementation for an eBPF-based runtime detection for the runc and Docker vulnerabilities CVE-2024-21626, CVE-2024-23651, CVE-2024-23652 and CVE-2024-23653 It hooks into Linux syscalls (eg, chdir, mount) and function invocations of the Docker daemon and associates them with Docker builds and con

Static detection tool for runc and Docker "Leaky Vessels" vulnerabilities

Leaky Vessels Static Detector A static analysis based exploit detector for runc and Docker vulnerabilities Overview runc processcwd & Leaked fds Container Breakout [CVE-2024-21626] CVE-2024-21626 is a vulnerability in the runc container runtime allowing an attacker to break out of the container isolation and achieve full root RCE via a crafted image that exploits an

Leaky Vessels Dynamic Detector In this repository you'll find a reference implementation for an eBPF-based runtime detection for the runc and Docker vulnerabilities CVE-2024-21626, CVE-2024-23651, CVE-2024-23652 and CVE-2024-23653 It hooks into Linux syscalls (eg, chdir, mount) and function invocations of the Docker daemon and associates them with Docker builds and con

CWE-22 https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8 https://github.com/moby/buildkit/pull/4603 https://github.com/moby/buildkit/releases/tag/v0.12.5 https://nvd.nist.gov https://github.com/snyk/leaky-vessels-dynamic-detector https://alas.aws.amazon.com/AL2/ALASDOCKER-2024-039.html

CVE-2024-23652

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect